We discussed securing gmail and hotmail accounts. We now will secure Yahoo! accounts. First login into your Yahoo! account then click on account info on the top right of the page, select the account security tag, and the toggle two-step verification.

After toggling two-step verification a window pops up. Select your country and enter in your mobile number and then either select ‘Send SMS’ or ‘Call Me’. For the purpose of this assignment I will go with ‘Send SMS’.

We discussed securing Google accounts before. You can reach that content from here. The following walk-through illustrates how to install two-factor authentication for a Hotmail account. These instructions assume you have the following: an Android smart phone and an alternate email address registered with your Hotmail account. If you don’t then don’t fret, continue up to Step 3 then follow the on screen instructions.

Step 5: Open the app and follow the on screen instructions to sign in to your account. After signing in, you will be asked to verify your identity by having a security code emailed to your alternate email address.

Step 6: Back on the website, select ‘Next’ to complete the setup. Optionally, you can proceed further to create an app password for use on any devices that do not accept security codes.

The next time you or someone else tries to log into your account from another device, an alert will be sent to your phone to verify the login is authorized. If not, reject the attempt.

Click on your profile picture near the top right corner and a box with a few options will appear. You will need to click on the blue button named “My Account”.

A new tab will open with different kinds of options for your account. You will need to click on the “Sign-in & security” option.

Under “Sign-in & security” there is an option named “Signing in to Google”. You will need to click that link next.

Under the section “Signing in to Google” you need to click on the link option “2-Step Verification”

You will now be taken somewhere to begin the set up process. You will need to click the blue button named “Start setup”

You will be told to re-enter your password to continue with the set up process

The first step of the set up process would be to enter a valid phone number to be able to be sent the codes. You will also need to choose how to receive the codes they will be sending you for verification.

After you have entered the phone number a code will be sent to that number that you provided

The third step will ask if you trust the computer you are using to set up the two step verification. Leave the box checked if you do and if you don’t then make sure to uncheck the box.

The last step will just need you to confirm that you would like to turn on the 2-step verification.

After confirming you will be sent an email that tells you that you have successfully turned on the 2-step verification. The set up process is now done and no more steps need to be taken.

If you set up your second e-mail address, and your phone number, now you need to have access for those in order to recover your account. Of course you should provide this info to your service providers. Otherwise like Miley Cyrus, you can be easily hacked. (Of course she should have provided fake answer that only she knew)

Most of online banking websites in US now start to use dual authentication. They now ask your username password but also ask security code they send your mobile phone. This is much better than using only password based authentication.

Besides the improvements in security we have to come up with a new and better way for authentication. People forget. That’s the reason they use same password for several sites. You cannot just say don’t use it. They will use it. You cannot just say use one-password or its variants. As security community it is our responsibility take a better approach and this approach should bring more security as well as easiness for regular users.

Password Management

Use the same password on systems that differ in risk exposure or data criticality.

Impose password requirements without considering the ease with which a password could be reset.

Thanks for Lenny Zelster for its awesome cheat sheet. For original document please see http://zeltser.com/security-management/suck-at-security-cheat-sheet.html. If you have any suggestions other than the ones at above, let me know! ismail@realinfosec.com

One of my friend recently has a problem with one of his gmail account. The account was compromised. He was sure that he was using strong, unpredictable password. I asked him if he has ever used internet on the public places. His answer was no. He also uses ssh proxy so this cannot be a man middle attack by using arp poisoning.

I am not sure if password database of google got attacked and compromised or it was just an individual problem, but I wanted to check my g-mail account to see what security features gmail has.

My friend understood his account got compromised once he discovered there is a back up e-mail address which he has no idea with it.

The problem is even tough he can change the password, the current sessions would be open. This is bad since attackers still can read/send e-mail from his account.

After I checked my gmail account I found followings:

As you see gmail tell us last account activity by giving the login time.

If you click the details, you will see this screen:

There are 5 IPs listed here. Now you can check if you see any unfamiliar IP. I saw one IP in there. I have checked it on whatismyipaddress.com and I was surprised it was from NY. I have iphone so when I was in 3G network, I may use NY IP. However, it was listed IMAP instead of mobile, that makes me a little uncomfortable.

I used my iPhone and see that if it was using same network number in the IP address field. Yes, it did! And, I felt much better:)

There is a button at the upper left to sign out all of the open session except the current one. This will make sure that we are now the only one using this account.